Welcome to the blog again, this is my second write up about my Bug Hunting Journey. Now, this write up is about how I use Google’s service to send email with any domain names, and with arbitrary title/content.

You can safely say that I can hijack Google’s email service to send any email to anyone I want. Sounds severe right? I agree with you, but Google Security Team treat that as a low severity bug as they believe anyone could have send spam email, so this finding does not qualify for reward. Ok, they got a point, the process to find it is fun anyway. Let’s see how I manage to hijack their email service.

Google’s Firebase is a super useful service that could save developers tons of effort. It provides authentication service that could integrate with any platform you want, like web, iOS, android. So developers do not need to build an authentication mechanism from scratch. There is some functions that firebase must provide in order to have a competent service, sending password reset email is one of those must have functions.

From the screenshot below, we can see it allows us to use our own domain name and own template to deliver the password reset email. Firebase is nice, nice enough to allow developers to specify their own domain name to deliver the email. Before using custom domain name, we have to prove to Google that we actually own the domain.

But here is the problem, I can specify any domain name without proving I am the owner. Actually this is a classic example of how developers would make careless mistake, when we look at the front end, we cannot tamper with the domain name. However if we capture the traffic and look at the request body, and carefully change the domain name, we can actually bypass the check and use any domain name instantly. In the request body, I notice there is a

{“email”:”noreply@luminous-app-1234.firebase.com”}. So I change that to {“email”:”ron@attacker.com”}

and trigger the password reset. The final result is this.

Hijacked Domain Name So I documented all these finding and send it to Google Security Team and have it fixed within a week. Of cause nepstorwarlock@gmail.com is very obviously a scam domain name, but imagine I used donation@google.com, with nicely crafted message, it is not difficult to deliver spam email effectively by abusing this bug.